Audit vs. Pentest: Finding the Seam Between Pieces of Armor

We at VDA have noticed that many financial institutions (banks, credit unions, etc.) are getting a vast variety of lower cost “audits” all the time. Things like: IT Audit, Network Security Audit, Firewall Audit, Password Audit, etc. That’s fine on one hand. But, we’ve noticed that findings are often noted as ‘possible’ – meaning an issue was perhaps detected, but not exploited or taken further. An example of a weak finding would be like:

LLMNR poisoning attack on the client’s internal network was conducted. The result was the capture of password hashes. These password hashes could be broken offline.

The finding is true on one hand. But will the client get the seriousness of the problem? And will they be able to communicate it to upper management with just that information? Not usually, is the answer.

We have notice that disparate tests with weak findings do not have the same security impact compared to a real pentest. What do we mean by “real”? We mean a comprehensive, external, internal, phishing, applications, wireless, physical, etc. A pentest where vulnerabilities that are discovered are exploited in order to make the impact of those issues clear in the report.

For example, in the above captured hash finding, at VDA we would take that much further. We would describe which hash was captured, how we used that to move laterally in the network, and then elevate to domain admin, how we then obtained and cracked the majority of the other hashes, how we got into a VIP email inbox, here’s a picture of that inbox, here’s a picture of sensitive data we found therein, etc. (be careful there, be sure to sanitize reports, as clients often share further than they should).

The point is, you need to really show impact to the client. It’s very easy for stakeholders to overlook vague findings provided in the many audits they often have done. Clients need clear findings that show impact. That allows them to communicate the need for remediation to upper management. Also, clients need clear remediation advice on how to fix the problem. That way when funding (or other support) comes through to enhance security, they’re best positioned to do so.

An analogy we use to help explain things is thinking about each type of test as each piece of a medieval knights armor. External is the breastplate, phishing assessment is the helmet. If you do each of them separately, they could look very good, but if you combine assessing external with phishing, we can now go for the seam and stab between the pieces of armor. An example is phishing credentials, then using those creds to authenticate to a single-factor VPN that never would have been exploited during an external test only. Many serious vulnerabilities in organizations are found in the seam between pieces of armor.